Upload File

production of deidentified datasets at the conclusion …

  • Home
  • Documents
  • PRODUCTION OF DEIDENTIFIED DATASETS AT THE CONCLUSION …
1
PRODUCTION OF DEIDENTIFIED DATASETS AT THE CONCLUSION OF HUMAN SUBJECTS TRIALS Korpak A, Schoenfeld D MGH Biostatistics Center The NHLBI ARDS Clinical Trials Network Data Elements were Removed: Patient initials Site coordinator names (user names) Site identifiers Some free-text fields (ex: M.D. names) Screened / non-enrolled patient data Fields that were relevant only with reference to the data entry software Date/time of data entry (audit info.) Data Elements were Modified: Ages over 89 years converted to "89" Race/ethnicity information Height and Weight: truncated to remove identifying extreme values Subject IDs recoded to prevent site identification Calendar dates recoded to be relative to each patient's study day 0 ARDSNet example Documentation provided with dataset should address both the details of the study and any potential confusion that could result from changes made. Documentation should include: Description of all changes made Study protocol documents Case Report forms & instructions Dataset description Documentation Researchers are responsible for ensuring that datasets provided for distribution are appropriately modified to remove identifying information. NHLBI policy requires removal of all obvious identifiers, such as: name social security number family relationships / pedigree hospital record numbers An NHLBI website provides guidelines regarding other data elements. Official Guidelines At the conclusion of a study, researchers often have an obligation to publish their data, but simultaneously are required to preserve confidentiality of human subjects. For instance, NIH research contracts require distribution of data after publication, and call upon the researchers to provide a deidentified dataset, one that is appropriately stripped of all information that might be used to identify subjects or be deemed sensitive information. There are published guidelines for how to produce a deidentified dataset, but these are written in general terms. There is clearly a need for more developed guidelines. The ARDS Network has produced three deidentified datasets for NIH studies. Through these projects, we have produced detailed documentation regarding the creation of such datasets, rooted in the NIH guidelines and refined through application. The final process is generalizable to other studies involving human subjects, and serves as a useful guide for researchers facing the same challenge. Abstract The ARDSNet experience has highlighted some of the elements to be mindful of during any effort to produce a “deidentified” distribution dataset: Balance between data utility and the need to protect patient confidentiality (examples given in Considerations section at left). Audit trails are required in electronic datasets, but access is restricted to the original researchers and sponsor. Before a study even begins, design of the data collection tools can prevent problematic data at the end. Example : well-chosen pick-lists as a good alternative to free-text; benefits to analysis and data deidentification. Recommendations NHLBI Policy for Distribution of Data. NHLBI. 25 October 2002. <http://www.nhlbi.nih.gov/resources/ deca/policy.htm>. ARDS Network SOPs - Data Management SOP on Limited Access Datasets. 28 July 2003, 7 June 2005. References There are few hard-and-fast rules. Study personnel should collaborate with the study sponsor to determine what is appropriate in the given case. Process End of Study: final database used for publication In most cases, remove references to siteID or location Remove or modify free-text entries, audit trail elements, etc. Remove sensitive information: AIDS, drug abuse, history of violence... Remove outliers that realistically risk identification of an individual. Convert all dates to be a day integer that is relative to a defined day0 Remove obviously identifying information and mask study subject numbers basic requirements mask dates very large studies may be allowed to include information on location outliers : What information risks identification? How unusual is an outlier? Define sensitive information in the DB; how is this affected by the nature of the study? (example: AIDS research) Consider other elements that might lead to patient identification. Provide documentation of process Many studies will need to strike a balance between data utility and patient confidentiality concerns. Examples: AIDS researchers may be interested in examining data from other fields, and find less accessible information for tying into their topic. Location can be relevant to interpretation of data, such as in elevation-adjusted P/F ratio. Studies whose data depend upon pedigree/heredity information. Considerations http://biostatistics.mgh.harvard .edu

Upload: others

Post on 12-Dec-2021

4 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: PRODUCTION OF DEIDENTIFIED DATASETS AT THE CONCLUSION …

PRODUCTION OF DEIDENTIFIED DATASETS AT THE CONCLUSIONOF HUMAN SUBJECTS TRIALS

Korpak A, Schoenfeld DMGH Biostatistics Center

The NHLBI ARDS Clinical Trials Network

Data Elements were Removed:• Patient initials• Site coordinator names (user names)• Site identifiers• Some free-text fields (ex: M.D. names)• Screened / non-enrolled patient data• Fields that were relevant only with

reference to the data entry software• Date/time of data entry (audit info.)

Data Elements were Modified:• Ages over 89 years converted to "89"• Race/ethnicity information• Height and Weight: truncated to

remove identifying extreme values• Subject IDs recoded to prevent site

identification• Calendar dates recoded to be relative

to each patient's study day 0

ARDSNet example

Documentation provided with dataset should address both the details of the study and any potential confusion that could result from changes made.

Documentation should include:• Description of all changes made• Study protocol documents• Case Report forms & instructions• Dataset description

Documentation

Researchers are responsible for ensuring that datasets provided for distribution are appropriately modified to remove identifying information.

NHLBI policy requires removal of all obvious identifiers, such as:• name• social security number• family relationships / pedigree• hospital record numbers

An NHLBI website provides guidelines regarding other data elements.

Official Guidelines

At the conclusion of a study, researchers often have an obligation to publish their data, but simultaneously are required to preserve confidentiality of human subjects. For instance, NIH research contracts require distribution of data after publication, and call upon the researchers to provide a deidentified dataset, one that is appropriately stripped of all information that might be used to identify subjects or be deemed sensitive information. There are published guidelines for how to produce a deidentified dataset, but these are written in general terms. There is clearly a need for more developed guidelines. The ARDS Network has produced three deidentified datasets for NIH studies. Through these projects, we have produced detailed documentation regarding the creation of such datasets, rooted in the NIH guidelines and refined through application. The final process is generalizable to other studies involving human subjects, and serves as a useful guide for researchers facing the same challenge.

Abstract

The ARDSNet experience has highlighted some of the elements to be mindful of during any effort to produce a “deidentified” distribution dataset:• Balance between data utility and the

need to protect patient confidentiality (examples given in Considerations section at left).

• Audit trails are required in electronic datasets, but access is restricted to the original researchers and sponsor.

• Before a study even begins, design of the data collection tools can prevent problematic data at the end.Example: well-chosen pick-lists as a good alternative to free-text; benefits to analysis and data deidentification.

Recommendations

NHLBI Policy for Distribution of Data.NHLBI. 25 October 2002.<http://www.nhlbi.nih.gov/resources/

deca/policy.htm>.

ARDS Network SOPs - Data Management SOP on Limited Access Datasets. 28 July 2003, 7 June 2005.

References

There are few hard-and-fast rules.Study personnel should collaborate with the study sponsor to determine what is appropriate in the given case.

Process

End of Study: final database used for publication

In most cases, remove references to siteID or location

Remove or modify free-text entries, audit trail elements, etc.

Remove sensitive information:AIDS, drug abuse, history of violence...

Remove outliers that realistically risk identification of an individual.

Convert all dates to be a day integer that is relative to a defined day0

Remove obviously identifying information and mask study subject numbers

basic requirements

mask dates

very large studies may be allowed to include information on location

outliers:What information risks identification?How unusual is an outlier?

Define sensitive information in the DB; how is this affected by the nature of the study? (example: AIDS research)

Consider other elements that might lead to patient identification.

Provide documentation of process

Many studies will need to strike a balance between data utility and patient confidentiality concerns. Examples:• AIDS researchers may be interested

in examining data from other fields, and find less accessible information for tying into their topic.

• Location can be relevant to interpretation of data, such as inelevation-adjusted P/F ratio.

• Studies whose data depend upon pedigree/heredity information.

Considerations

http://biostatistics.mgh.harvard.edu

‘Transformed Health Through Data & Insights’ · •PATCAT Data: 1,500,000 (Approx.) deidentified patient records every month from 140 general practices •LinkedEHR Data: 1295

Consumer Survey Datasets

Datasets and MapBuilding.pdf

Describing Linked Datasets

TimeScale Creator datasets

SAS Manipulate Datasets

Cessna 206 C206G 1976 POH Scanned Deidentified

Physical Therapy Aide - blackstone.edu · Preparing the patient and environment for ... Security Rules, Protected Health Information, access control, deidentified information, and

DG SANTE Datasets

Using Curated Datasets

Session 1: Core Pharmaceutical Datasets Retail and Non … · Session 1: Core Pharmaceutical Datasets ... Learn about core pharmaceutical datasets ‐retail and ... – Restricted

COMPASSS Working Paper 2014-77 · COMPASSS Working Paper 2014-77 ... to analyse survey datasets. ... then the conclusion would be that it is the combination of

US-AMLR Datasets

Annotating Research Datasets

Citing Datasets

MFC Datasets: Large-Scale Benchmark Datasets for Media

US AMLR datasets

SIGCOMM 2011. Outline Introduction Datasets and Metrics Analysis Techniques Engagement View Level Viewer Level Lessons Conclusion

A Methodological Framework to Combine Multiple Precipitation Datasets across … · 2020. 5. 2. · Conclusion 1) the best basin-wide precipitation product evaluated against the precipitation-gauge

I Hcantabria Datasets

Resilient Distributed Datasets

Preparing Research Datasets

Tragedy of the Deidentified Data Commons An Appeal for Transparency and Access

Exploiting Digital Datasets

Clustering - Visualization · Hierarchical clustering for large datasets? • OK for small datasets (e.g.,

BRC 2011 Session #4 – “Omics” Data. Session #4 - Outline Challenges and Opportunities pathogen datasets; host datasets; integrating pathogen-host datasets

Lesson 6 - Topics Reading SAS datasets Subsetting SAS datasets Merging SAS datasets

Logic Programming Datasets

Hawaii LIDAR Datasets

L6. Unbalanced Datasets

Analyzing Metabolomic Datasets

Bukola Johnson LUMA-GIS, Sweden. Objectives Background Datasets Methodology Results Conclusion

Large aCGH Datasets

Mining Large Datasets: Case of Mining Graph Data in the Cloud · 2014-05-22 · Background Contributions Conclusion Mining Large Datasets: Case of Mining Graph Data in the Cloud Sabeur

proc datasets - SAS